-
Notifications
You must be signed in to change notification settings - Fork 8.8k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Fixed TLS certs validation for consenters (release-2.2) #2005
Fixed TLS certs validation for consenters (release-2.2) #2005
Conversation
ef5d318
to
f562ae9
Compare
* FAB-18192 Fixed TLS certs validation for consenters. Verification of TLS cert against simulated config, not the last one. To achieve that, metadata validator interface was changed, now it requires orderer config instead of just consensus metadata. Also, TLS verification was moved to VerifyMetadata function, it shouldn't have been part of ComputeMembershipChanges. Fixed tests. Signed-off-by: Vladyslav Kopaihorodskyi <vlad.kopaygorodsky@gmail.com>
FAB-18192 Signed-off-by: Will Lahti <wtlahti@us.ibm.com>
It was accidentally verifying only the clientCert and not the cert that was passed in. FAB-18269 Signed-off-by: Will Lahti <wtlahti@us.ibm.com>
f562ae9
to
05e1791
Compare
Signed-off-by: Will Lahti <wtlahti@us.ibm.com>
fda3d1a
to
c032d47
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This looks ok to me, but maybe @jyellick can take a quick look as well.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Looks good to me -- is this last commit already forward ported to master?
Yes, it was merged yesterday. Thanks, Gari and Jason! |
Type of change
Description
First commit:
Verification of consenter's TLS certs against simulated config, not the last one. To achieve that, metadata validator interface was changed, now it requires orderer config instead of just consensus metadata. Also, TLS verification was moved to VerifyConfigMetadata function. Added ignoreCertExpiration option to ignore expiration errors when validating config metadata.
Second commit:
Third commit:
Related issues
FAB-18192
FAB-18269